Cybersecurity Triage
Count Failed SSH Login IPs
You need to rank source IPs from failed SSH login attempts.
Command
sed -n 's/.*Failed password .* from \([0-9.]*\) port.*/\1/p' logs/auth.log | sort | uniq -c | sort -nrWhat changed
Nothing changes. The command extracts source IPs and counts repeats.
Danger
safe
When to use it
Use when deciding whether one source is causing most SSH noise.
When not to use it
Do not block IPs from this output alone without considering NATs, allowlists, and policy.
Undo or recovery
No undo needed because this command is read-only.
Expected output
A count-sorted list of source IP addresses from failed SSH attempts.
demo script
Disposable terminal steps
grep 'Failed password' logs/auth.logsed -n 's/.*Failed password .* from \([0-9.]*\) port.*/\1/p' logs/auth.log | sort | uniq -c | sort -nr
simulated output
What it looks like
::fixture-ready::
$ grep 'Failed password' logs/auth.log
Jun 25 12:00:01 vps sshd[1001]: Failed password for invalid user admin from 203.0.113.44 port 51122 ssh2
Jun 25 12:00:03 vps sshd[1002]: Failed password for root from 203.0.113.44 port 51124 ssh2
Jun 25 12:01:10 vps sshd[1003]: Failed password for deploy from 198.51.100.77 port 41002 ssh2
::exit-code::0
$ sed -n 's/.*Failed password .* from \([0-9.]*\) port.*/\1/p' logs/auth.log | sort | uniq -c | sort -nr
2 203.0.113.44
1 198.51.100.77
::exit-code::0
YouTube Short
Rank failed SSH IPs.
Extract source IPs from failed SSH lines and count them to find the loudest source.
LinkedIn hook
The loudest SSH source is usually visible with one count.
Question: Do you rank SSH failure sources before touching firewall rules?
experiments
A/B tests to run
Metric: completion_rate
A: Rank source IPs.
B: Before firewall changes.